mugen_cheap_communityfandomcom-20200214-history
Statedef Overflow Tutorial
Statedef Overflow Tutorial To preform statedef overflow, you will need cheat engine, ollydbg, and a hex editor like HxD. Statedef overflow is a statedef that has a long string after it. What covers the return address and how long is it? At least 57 characters to 60 characters. The address is contained in the last 4 characters of the overflow. like this: 1234567890123456789012345678901234567890123456789012345abcd Also note that the space is considered as a character and ! too abcd is a temporary address but you can use this: This is a Jump instruction that will make Mugen jump to your ASM code so it can be read as. 23456789012345678901234567890123456789012345678901234 This is just the typical overflow just to overflow the uneed part. F2@ This is the pointer Make sure after the statedef, there is at least one state controller so it won't give you a state controller error Like this: State type = assertspecial trigger1 = 0 flag= timerfreeze or anything else type=null works too and any other state controller It's better to write Statedef overflow in a ST then a CNS Because CNS has two return values but ST only has one And we only need one return value. As for the pointer It does not change much if you use v-@ instead of F2@ But I will say using F2@ is better. ë:23456789012345678901234567890123456789012345678901234F2@ State type = assertspecial trigger1 = 0 flag= timerfreeze But we don't have our ASM code yet. We'll do a quick search. Open Cheat Engine. Then find the address of lifeset and ctrlset. Then tell me, if you found them. Memory view Then find the character lifeset and ctrlset. 004AB2A4 004AB1D0 Well now open notepad take a close look at address 004AB2A4 You know how %n works, it changes the value of the memory address. Statedef Overflow can do the same Most %n can be convert included into Statedef Overflow like the parentbug. One of the most important instructions in ASM is the MOV MOV DWORD instruction mean it's movef or changed 4 values from a certain address MOV DWORD PTR DS:4AB2A4,6C727463 It changed the life to ctrl You see same address but using the MOV DWORD You can change the values 4 values from the initial address Which means the MOV DWORD changed the values of 4AB2A4 4AB2A5 4AB2A6 4AB2A7 Since we changed lifeset to ctrlset, we need to change ctrlset to lifeset to avoid an error. Can you write me the next MOV DWORD That will change ctrl*set to life*set ctrlset to lifeset You need to write ASM instruction from right to left. Like the first MOV MOV DWORD PTR DS:4AB2A4,6C727463 63= c 74= t 72= r 6C= l That's why it's good to think from right to left instead of left to right when writing ASM. MOV DWORD PTR DS:4AB1D0,6566696C This the second MOV, change the ctrlset to lifeset so there will be no errors. Finally, we are almost finished with the ASM code The three instructions we need to finish the ASM code are: SUB ESP,18 MOV DWORD PTR SS:ESP,47EB31 RETN SUB ESP,18 Meaning, because we use 18 spaces for our ASM code, we need to decrease the ESP to 0 MOV DWORD PTR SS:ESP,47EB31 We need to change the ESP value back to the original value This is the most important instruction RETN It returns your ASM Code, it's like the return code in C or any programming language. Use it so it can validate your code So our full ASM code is this: MOV DWORD PTR DS:4AB2A4,6C727463 MOV DWORD PTR DS:4AB1D0,6566696C SUB ESP,18 MOV DWORD PTR SS:ESP,47EB31 RETN Now open Ollydbg and find me a code cave which is an area fill with 00 That is where we will translate our ASM Code to ASCII Open Winmugen.exe with Ollydbg Make sure you paste the code right You can paste your code But with your memory address Ok now copy the ASCII Ç¤²J.ctrlÇÐ±J.lifeƒìÇ$1ëG.Ã. You see . that's a spacing that you need to do Ç¤²J ctrlÇÐ±J lifeƒìÇ$1ëG Ã''' That's the ASM code Now put a ctrlset state controller So we can test to see if it works '''State type = ctrlset trigger1 = 1 value = 1 ' ë:23456789012345678901234567890123456789012345678901234F2@' Ç¤²J ctrlÇÐ±J lifeƒìÇ$1ëG Ã''' '''State type = ctrlset trigger1 = 1 value = 1 ''